US8321551B2ActiveUtilityA1

Using aggregated DNS information originating from multiple sources to detect anomalous DNS name resolutions

78
Assignee: GARDNER PATRICKPriority: Feb 2, 2010Filed: Feb 2, 2010Granted: Nov 27, 2012
Est. expiryFeb 2, 2030(~3.6 yrs left)· nominal 20-yr term from priority
Inventors:Patrick Gardner
H04L 61/4511H04L 63/1441H04L 63/1425
78
PatentIndex Score
5
Cited by
16
References
20
Claims

Abstract

A DNS security system collects and uses aggregated DNS information originating from a plurality of client computers to detect anomalous DNS name resolutions. A server DNS security component receives multiple transmissions of DNS information from a plurality of client computers, each transmission of DNS information concerning a specific instance of a resolution of a specific DNS name. The server component aggregates the DNS information from the multiple client computers. The server component compares DNS information received from a specific client computer concerning a specific DNS name to aggregated DNS information received from multiple client computers concerning the same DNS name to identify anomalous DNS name resolutions. Where an anomaly concerning received DNS information is identified, a warning can be transmitted to the specific client computer from which the anomalous DNS information was received.

Claims

exact text as granted — not AI-modified
1. A computer implemented method for using aggregated DNS information originating from a plurality of computers to detect anomalous DNS name resolutions, the method comprising the steps of:
 receiving, by a server DNS security component running on a server computer, multiple transmissions of DNS information from a plurality of computers, each transmission of DNS information comprising information concerning a specific instance of a resolution of a specific DNS name; 
 aggregating, by the server DNS security component running on the server computer, received multiple transmissions of DNS information from the plurality of computers; 
 comparing, by the server DNS security component running on the server computer, DNS information received from a specific computer concerning a specific DNS name to aggregated DNS information received from multiple computers concerning the same DNS name; 
 determining, by the server DNS security component running on the server computer, whether the DNS information received from the specific computer concerning the specific DNS name is anomalous, responsive to comparing the DNS information received from the specific computer concerning the specific DNS name to the aggregated DNS information received from multiple computers concerning the same DNS name; 
 responsive to a lack of aggregated DNS information received from multiple computers concerning multiple resolutions of a specific DNS name, isolating, by the server DNS security component running on the server computer, a higher level portion of the specific DNS name; and 
 comparing, by the server DNS security component running on the server computer, DNS information received from a specific computer concerning a specific DNS name to aggregated DNS information received from multiple computers concerning the isolated higher level portion of the specific DNS name. 
 
     
     
       2. The method of  claim 1  further comprising:
 storing, by the server DNS security component running on the server computer, aggregated DNS information received from multiple computers. 
 
     
     
       3. The method of  claim 1  wherein comparing, by the server DNS security component running on the server computer, DNS information received from a specific computer concerning a specific DNS name to aggregated DNS information received from multiple computers concerning the same DNS name further comprises:
 comparing, by the server DNS security component running on the server computer, DNS information received from a specific computer concerning a specific resolution of a specific DNS name to aggregated DNS information received from multiple computers concerning multiple resolutions of the same DNS name. 
 
     
     
       4. The method of  claim 3  further comprising:
 analyzing, by the server DNS security component running on the server computer, at least one factor in the DNS information received from a specific computer concerning a specific resolution of a specific DNS name to aggregated DNS information received from multiple computers concerning multiple resolutions of the same DNS name from a group of factors consisting of: IP address of resolution, method of resolution, time to live, and a DNS resource record. 
 
     
     
       5. The method of  claim 1  wherein determining, by the server DNS security component running on the server computer, whether the DNS information received from the specific computer concerning the specific DNS name is anomalous, responsive to comparing the DNS information received from the specific computer concerning the specific DNS name to the aggregated DNS information received from multiple computers concerning the same DNS name further comprises:
 identifying, by the server DNS security component running on the server computer, at least one anomaly concerning the DNS information received from the specific computer concerning the specific DNS name; and 
 determining, by the server DNS security component running on the server computer, that the DNS information received from the specific computer concerning the specific DNS name is anomalous, responsive to the identifying step. 
 
     
     
       6. The method of  claim 5  wherein identifying, by the server DNS security component running on the server computer, at least one anomaly concerning the DNS information received from the specific computer concerning the specific DNS name further comprises:
 identifying, by the server DNS security component running on the server computer, at least one difference between the DNS information received from the specific computer concerning the specific DNS name and a pattern indicated by the aggregated DNS information received from multiple computers concerning the same DNS name. 
 
     
     
       7. The method of  claim 1  further comprising:
 responsive to determining, by the server DNS security component running on the server computer, whether the DNS information received from the specific computer concerning the specific DNS name is anomalous, transmitting, by the server DNS security component running on the server computer, a corresponding indication to at least one destination. 
 
     
     
       8. The method of  claim 7  further comprising:
 determining, by the server DNS security component running on the server computer, that the DNS information received from the specific computer concerning the specific DNS name is anomalous; and 
 responsive to determining that the DNS information received from the specific computer concerning the specific DNS name is anomalous, transmitting, by the server DNS security component running on the server computer, a warning to the specific computer from which the anomalous DNS information was received. 
 
     
     
       9. The method of  claim 7  further comprising:
 determining, by the server DNS security component running on the server computer, that the DNS information received from the specific computer concerning the specific DNS name is not anomalous; and 
 responsive to determining that the DNS information received from the specific computer concerning the specific DNS name is not anomalous, transmitting, by the server DNS security component running on the server computer, an indication that the DNS information is not anomalous, to the computer from which the not anomalous DNS information was received. 
 
     
     
       10. At least one non-transitory computer readable storage medium storing a computer program product configured for using aggregated DNS information originating from a plurality of computers to detect anomalous DNS name resolutions, the computer program product comprising:
 program code for receiving multiple transmissions of DNS information from a plurality of computers, each transmission of DNS information comprising information concerning a specific instance of a resolution of a specific DNS name; 
 program code for aggregating received multiple transmissions of DNS information from the plurality of computers; 
 program code for comparing DNS information received from a specific computer concerning a specific DNS name to aggregated DNS information received from multiple computers concerning the same DNS name; 
 program code for determining whether the DNS information received from the specific computer concerning the specific DNS name is anomalous, responsive to comparing the DNS information received from the specific computer concerning the specific DNS name to the aggregated DNS information received from multiple computers concerning the same DNS name; 
 responsive to a lack of aggregated DNS information received from multiple computers concerning multiple resolutions of a specific DNS name, isolating a higher level portion of the specific DNS name; and 
 comparing DNS information received from a specific computer concerning a specific DNS name to aggregated DNS information received from multiple computers concerning the isolated higher level portion of the specific DNS name. 
 
     
     
       11. The at least one non-transitory computer readable storage medium of  claim 10  wherein the program code for determining whether the DNS information received from the specific computer concerning the specific DNS name is anomalous, responsive to comparing the DNS information received from the specific computer concerning the specific DNS name to the aggregated DNS information received from multiple computers concerning the same DNS name further comprises:
 program code for identifying at least one anomaly concerning the DNS information received from the specific computer concerning the specific DNS name; and 
 program code for determining that the DNS information received from the specific computer concerning the specific DNS name is anomalous, responsive to the identifying step. 
 
     
     
       12. The at least one non-transitory computer readable storage medium of  claim 11  wherein the program code for identifying at least one anomaly concerning the DNS information received from the specific computer concerning the specific DNS name further comprises:
 program code for identifying at least one difference between the DNS information received from the specific computer concerning the specific DNS name and a pattern indicated by the aggregated DNS information received from multiple computers concerning the same DNS name. 
 
     
     
       13. The at least one non-transitory computer readable storage medium of  claim 12  further comprising:
 program code for identifying attempts to resolve DNS names by computers; 
 program code for gleaning DNS information concerning identified attempts to resolve DNS names by computers; and 
 program code for transmitting gleaned DNS information concerning identified resolutions of DNS names by computers to a remote computer. 
 
     
     
       14. The at least one non-transitory computer readable storage medium of  claim 11  further comprising:
 program code for, responsive to determining whether the DNS information received from the specific computer concerning the specific DNS name is anomalous, transmitting a corresponding indication to at least one destination. 
 
     
     
       15. The at least one non-transitory computer readable storage medium of  claim 14  further comprising:
 program code for determining that the DNS information received from the specific computer concerning the specific DNS name is anomalous; and 
 program code for, responsive to determining that the DNS information received from the specific computer concerning the specific DNS name is anomalous, transmitting a warning to the specific computer from which the anomalous DNS information was received. 
 
     
     
       16. The at least one non-transitory computer readable storage medium of  claim 14  further comprising:
 program code for determining that the DNS information received from the specific computer concerning the specific DNS name is not anomalous; and 
 program code for, responsive to determining that the DNS information received from the specific computer concerning the specific DNS name is not anomalous, transmitting an indication that the DNS information is not anomalous, to the computer from which the not anomalous DNS information was received. 
 
     
     
       17. A computer implemented method for using aggregated DNS information originating from a plurality of computers to detect anomalous DNS name resolutions, the method comprising the steps of:
 receiving, by a server DNS security component running on a server computer, multiple transmissions of DNS information from a plurality of computers, each transmission of DNS information comprising information concerning a specific instance of a resolution of a specific DNS name; 
 aggregating, by the server DNS security component running on the server computer, received multiple transmissions of DNS information from the plurality of computers; 
 comparing, by the server DNS security component running on the server computer, DNS information received from a specific computer concerning a specific DNS name to aggregated DNS information received from multiple computers concerning the same DNS name; 
 wherein comparing, by the server DNS security component running on the server computer, DNS information received from a specific computer concerning a specific DNS name to aggregated DNS information received from multiple computers concerning the same DNS name further comprises comparing, by the server DNS security component running on the server computer, DNS information received from a specific computer concerning a specific resolution of a specific DNS name to aggregated DNS information received from multiple computers concerning multiple resolutions of the same DNS name; 
 determining, by the server DNS security component running on the server computer, whether the DNS information received from the specific computer concerning the specific DNS name is anomalous, responsive to comparing the DNS information received from the specific computer concerning the specific DNS name to the aggregated DNS information received from multiple computers concerning the same DNS name; 
 determining, by the server DNS security component running on the server computer, that the DNS information received from the specific computer concerning the specific DNS name is anomalous; and 
 responsive to determining that the DNS information received from the specific computer concerning the specific DNS name is anomalous, modifying, by the server DNS security component running on the server computer, the specific resolution of the specific DNS name that the DNS information received from the specific client concerns, based on the aggregated DNS information received from multiple computers concerning multiple resolutions of the same DNS name. 
 
     
     
       18. The method of  claim 17  further comprising:
 storing, by the server DNS security component running on the server computer, aggregated DNS information received from multiple computers. 
 
     
     
       19. The method of  claim 17  further comprising:
 analyzing, by the server DNS security component running on the server computer, at least one factor in the DNS information received from a specific computer concerning a specific resolution of a specific DNS name to aggregated DNS information received from multiple computers concerning multiple resolutions of the same DNS name from a group of factors consisting of: IP address of resolution, method of resolution, time to live, and a DNS resource record. 
 
     
     
       20. The method of  claim 17  further comprising:
 responsive to a lack of aggregated DNS information received from multiple computers concerning multiple resolutions of a specific DNS name, isolating, by the server DNS security component running on the server computer, a higher level portion of the specific DNS name; and 
 comparing, by the server DNS security component running on the server computer, DNS information received from a specific computer concerning a specific DNS name to aggregated DNS information received from multiple computers concerning the isolated higher level portion of the specific DNS name.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.